Crypto researchers: Time to use something better than 1024-bit encryption

Tim Greene |
Oct. 20, 2015

It’s actually possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman key exchange groups, so it’s time for businesses to switch to something else like elliptic curve cryptography, researchers say.

“It’s a long-term project,” but accomplishing it should be on the IT priority list, he says.

In Diffie-Hellman, endpoints that want to create an encryption key in order to secure connections between them first exchange keying information that includes large prime numbers. These formalized groups of primes are well established and some are known to be more widely used than others, Halderman says.

Performing some arduous math on a large prime p in these groups can eventually break the Diffie-Hellman exchange and the keys they generate, but the time involved is too great to make the attempt practical for 1024-bit groups – until now. “A single large precomputation on p can be used to efficiently break all Diffie-Hellman exchanges made with that prime,” the researchers write, and such calculations are “plausibly within the resources of state-level attackers.”

Because some Diffie-Hellman groups are widely used, carefully picking the right ones to break can make vulnerable the connections made by a large number of devices, the researchers say. According to their analysis, “an attacker who could perform precomputations for ten1024-bit groups could passively decrypt traffic to about 66% of IKE VPNs, 26% of SSH servers, 16% of SMTP servers and 24% of popular HTTPS sites.”

The paper makes more concrete a warning put out years ago by the National Institute of Standards and Technology. “This is a warning,” Heninger says. “NIST recommended moving from 1024 by 2010; it’s now 2015.

In order to make the transition, the researchers say businesses need to:

*evaluate how difficult it will be to move away from 1024-bit.

*stop building apps and devices that use 1024-bit

* get rid of legacy 1024-bit gear as it becomes feasible

* reconfigure everything that can be reconfigured to make the encryption stronger